Cisco Cisco Firepower Management Center 4000
38-8
FireSIGHT System User Guide
Chapter 38 Working with Discovery Events
Working with Discovery and Host Input Events
Working with Discovery and Host Input Events
License:
FireSIGHT
The system generates discovery events that communicate the details of changes in your monitored
network segments. New events are generated for newly discovered network features, and change events
are generated for any change in previously identified network assets.
network segments. New events are generated for newly discovered network features, and change events
are generated for any change in previously identified network assets.
During its initial network discovery phase, the system generates new events for each host and any TCP
or UDP servers discovered running on each host. Optionally, you can configure the system to use data
exported by NetFlow-enabled devices to generate these new host and server events.
or UDP servers discovered running on each host. Optionally, you can configure the system to use data
exported by NetFlow-enabled devices to generate these new host and server events.
In addition, the system generates new events for each network, transport, and application protocol
running on each discovered host. When you create a discovery rule configured to include
NetFlow-enabled devices, you can disable detection of application protocols. However, you cannot
disable application detection in discovery rules that do not use a configured NetFlow-enabled device. If
you enable host or user discovery in non-NetFlow discovery rules, applications are automatically
discovered.
running on each discovered host. When you create a discovery rule configured to include
NetFlow-enabled devices, you can disable detection of application protocols. However, you cannot
disable application detection in discovery rules that do not use a configured NetFlow-enabled device. If
you enable host or user discovery in non-NetFlow discovery rules, applications are automatically
discovered.
After the initial network mapping is complete, the system continuously records network changes by
generating change events. Change events are generated whenever the configuration of a previously
discovered asset changes.
generating change events. Change events are generated whenever the configuration of a previously
discovered asset changes.
When a discovery event is generated, it is logged to the database. You can use the Defense Center web
interface to view, search, and delete discovery events.You can also use discovery events in correlation
rules. Based on the type of discovery event generated as well as other criteria that you specify, you can
build correlation rules that, when used in a correlation policy, launch remediations and syslog, SNMP,
and email alert responses when network traffic meets your criteria.
interface to view, search, and delete discovery events.You can also use discovery events in correlation
rules. Based on the type of discovery event generated as well as other criteria that you specify, you can
build correlation rules that, when used in a correlation policy, launch remediations and syslog, SNMP,
and email alert responses when network traffic meets your criteria.
You can add data to the network map using the host input feature. You can add, modify, or delete
operating system information, which causes the system to stop updating that information for that host.
You can also manually add, modify, or delete application protocols, clients, servers, and host attributes
or modify vulnerability information. When you do this, the system generates host input events.
operating system information, which causes the system to stop updating that information for that host.
You can also manually add, modify, or delete application protocols, clients, servers, and host attributes
or modify vulnerability information. When you do this, the system generates host input events.
delete items from the system, including:
•
discovery and host input events from
discovery event workflows
discovery event workflows
•
hosts and network devices from host
workflows
workflows
•
host attributes from host attribute
workflows
workflows
•
servers from server workflows
•
applications from application workflows
•
third-party vulnerabilities from third-party
vulnerability workflows
vulnerability workflows
•
users from user workflows
use one of the following methods:
•
To delete some items, select the check boxes next to items you want to
delete, then click
delete, then click
Delete
.
•
To delete all items in the current constrained view, click
Delete All
, then
confirm you want to delete all the items.
These items remain deleted until the system’s discovery function is
restarted, when they may be detected again.
restarted, when they may be detected again.
Tip
See
for
information on deleting all discovery events from the database and
also for information on how to restart discovery.
also for information on how to restart discovery.
Note that you cannot delete Cisco (as opposed to third-party)
vulnerabilities; you can, however, mark them reviewed. For more
information, see
vulnerabilities; you can, however, mark them reviewed. For more
information, see
.
navigate to other event views to view associated
events
events
find more information in
Table 38-1
Common Discovery Event Actions (continued)
To...
You can...